Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page280/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   276   277   278   279   280   281   282   283   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 352 of 425

H-Cloud, the problem was that line management did not verify staff’s purported remediation actions, such that line management did not know that there were remediation issues to surface to senior management, until the GIA’s escalation in mid. Benedict explained how senior management was generally involved in the audit process, as follows a) Results of internal audit reports were distributed to Cluster Audit Committee, Cluster senior management, and IHiS senior management for CII and non-CII audits. For CII audits, the reports were also sent to CSG for monitoring of the followup action. b) If, as GCIO, Benedict found that remediation was not being done
per the stated timelines, he would escalate the matter to the Director of the Delivery Group (Leong Seng), and if necessary, the
IHiS CEO, Bruce, and at the same time keep SingHealth management apprised of the potential delay.
1018. Benedict suggested that regular updates by the Delivery Group on the status of audit items should be provided at CIO forums, for CIO to update Cluster management, with urgent matters highlighted.
1019. The GIA’s IT audit head, Thng Chiok Meng, suggested that the GIA’s verification of audit remediation action items could be done on half-yearly basis for staggered batches of audit findings, instead of only being reviewed by the
GIA in the next financial year.
1020. Separately, Dr Lim recommended that it should bean independent party who should confirm implementation of the remediation according to the audit recommendation. The Committee agrees with this.
1021. Having considered all the evidence, we recommend that a written protocol for the remediation of audit findings should be established, which should set out, minimally the following requirements


COI Report – Part VII
Page 353 of 425

(a) A process for surfacing audit findings and the status of audit findings, at regular intervals, to IHiS’ Audit and Risk Committee and CII owners (in this case, SingHealth). b) A clear remediation plan by the Delivery Group for each audit finding must be drawn up that i) details the actions which the issue owner will take to address all noncompliance and ii) sets out the timelines) for implementing the actions stated. c) Clear communication and agreement on the remediation plan by the Delivery Group with the auditor. d) A system to be put in place for verification, at IHiS’ line management level of the implementation, of remediation plans. e) A system for centralised tracking of the status of audit findings, and the propagation of remediation plans across Clusters, where relevant. f) A process for escalation to IHiS’ Audit and Risk Committee and
CII owners in the event of problems with the implementation of remediation plans. g) Verification by the GIA of audit remediation action items to commence within six months of the audit findings instead of only being reviewed by the GIA in the next financial year.
1022. There has to be a policy of zero tolerance towards false or incorrect reporting of remediation of audit findings.


Download 5.91 Mb.

Share with your friends:
1   ...   276   277   278   279   280   281   282   283   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy